System privileges define permissions users have on the system as a whole. The system privilege object is special in that there is only one system object and therefore no privilege object has to be selected when granting system permissions.
Permissions granted for the system privilege object can be thought of as global permissions. Table 1 lists the available system permissions.
System permissions are not inherited, and not transformed from other privilege objects. System permissions are transformed into other permissions on other privilege objects.
Permission name |
No |
Description, Actual actions granted |
Manage users and user groups (0) |
0 |
Create, modify and delete users and user groups. Reset user passwords, manage user password expiry. Assign users to user groups, remove users from user groups. Note: A user can only be added to a user group if the user performing this action has this permission and if the user performing this action has all the permissions that the user would get through the user once he is assigned. |
All permissions on root views (1) |
1 |
Create new root views. This permission is transformed into all available view permissions on all root views and therefore through inheritance on all views. This is a strong permission that has implications on the access to all data stored with features and observations. It is advised to use this permission sparingly. Usually you should grant this permission only to users who really need to manage root views. |
Modify system privileges (2) |
2 |
Grant or revoke privileges with the system as privilege object. Even if this permission is granted only privileges with permissions granted to the accessing user can be granted or revoked. A user cannot revoke permissions assigned to himself. |
Close user sessions (3) |
3 |
Close the user sessions of other users and therefore kick them from the Application Server. |
Modify global settings (4) |
4 |
Modify the values of global settings. |
Purge fully deleted messages (5) |
5 |
Allows to purge all deleted messages that were deleted by all recipients and the sender. This permission is only needed for users who administrate the system and do regular cleanups. |
Read authentication log (6) |
6 |
Permission to read the authentication log. This permission is usually only needed by users who monitor the system for security issues. |
Purge authentication log (7) |
7 |
Permission to delete old entries in the authentication log. This permission is only needed for users who administrate the system and do regular cleanups |
Perform Distribution Server update (8) |
8 |
Allows to fetch and install updates from the Distribution Server can be installed. |
List all jobs (9) |
9 |
List all jobs (in any job state) no matter who the job owner is. |
Manage jobs (10) |
10 |
Manage all jobs irrespective which user owns them. Even if this system permission is not granted to a user, that user can still manage his own jobs (jobs started by this user). This permission is usually only needed by users who want to monitor and manage the jobs and the load these jobs put on the system. |
Purge archived jobs (11) |
11 |
Delete the archived jobs i.e jobs that are finished. Only needed by users who perform housekeeping on the Application Server. |
Read user sessions (12) |
12 |
Read the user session log. Even if this permission is not granted a user can always read his own user session history. |
Create user session when server is closed (13) |
13 |
Create a user session (and therefore) logon to the Application Server even if server is closed. Will only be needed by a few users, who want to perform housekeeping tasks while it is guaranteed that no other users are logged on. |
List all approvals (14) |
14 |
List all approvals. |
Use privileged job priorities (16) |
16 |
Create jobs with privileged priorities. |
Purge features and observations (17) |
17 |
[unused] |
Purge user session log (18) |
18 |
Purge the user session log. Only needed by users who perform housekeeping on the Application Server. |
List all observation alarms (19) |
19 |
If this permission is granted the user can list all observation alarms (of all users for all features) |
Acknowledge all observation alarms (20) |
20 |
Acknowledge all observation alarms even if the user has no acknowledging obligation. Grant this permission to users who should be able to clean up unhandled acknowledgement requests. |
Manage personal stored job definitions (21) |
21 |
Can create stored job definitions. Stored job definitions that run at a regular schedule might put a huge load on the system. Therefore you can use this permission to allow only specific users to create stored job definitions. |
Manage stored jobs definitions (22) |
22 |
If granted allows a user to manage stored job definitions owned by other users. |
Modify feature type privileges (23) |
23 |
Grant and revoke privileges on feature types. Even if this system permission granted the user can only grant or revoke privileges with permissions that he is granted himself. |
Manage coordinate systems (24) |
24 |
Create and modify coordinate systems that are used as reference system for features and observations with spatial support. |
All permissions on feature types (25) |
25 |
Is transformed into all available feature type permissions on all feature types. |
Modify general text templates (26) |
26 |
Modify general text templates, like the templates used for sending out login details via email. |
List all Features (27) |
27 |
If granted, the user can list all features. |
Manage message forwarding rules (28) |
28 |
If granted, the user can create and modify message forwarding rules for other users and global message forwarding rules. |
Table 1: Permissions that can be granted to the system privilege object
